ISO 27001:2022 & Threat Intelligence
The 2022 update to ISO/IEC 27001 made threat intelligence a first-class control. Annex A 5.7 requires organisations to collect and analyse information about threats to produce threat intelligence, and unlike most Annex A controls, it has very few allowable exclusions. If you are certified, you have to demonstrate it.
For most teams, that is good news. A 5.7 is the control that justifies the rest of the threat intelligence programme. It is also the one that makes the other 2022 controls much easier to satisfy — because good intelligence generates evidence for almost everything else.
The Headline Change: Annex A 5.7
Before 2022, ISO 27001 had no explicit threat intelligence control. Teams were free to argue that their existing risk assessment and monitoring covered it. After 2022, A 5.7 is mandatory in almost every ISMS scope, and it asks for a clear, documented intelligence practice: sources, collection methods, analysis, and outputs that flow into the security programme.
In plain terms, an auditor will look for evidence that you (a) collect threat information from defined sources, (b) analyse it, and (c) use the result. A vendor brochure is not enough. A live feed that no one reads is not enough. The expectation is a working loop, not a checkbox.
Key Insight
A 5.7 is the most underused shortcut in ISO 27001. If you satisfy it well, you generate the evidence that satisfies Clause 6.1.2, A 5.24, A 5.25, and A 8.8 almost as a side effect. The same threat report can populate a risk register, justify a control, and feed an incident playbook.
The Other 2022 Controls That Benefit
Several other controls in the 2022 update become much more credible when paired with structured intelligence.
Clause 6.1.2 — Risk Assessment
Risk owners are expected to identify realistic threat scenarios. A live, sector-aware intelligence feed turns that expectation from a documentation chore into a routine: every quarter, the threat catalogue is refreshed from current activity rather than copied from last year's template.
Annex A 5.24 — Incident Management Planning
IR plans should reflect realistic scenarios, not hypothetical ones. With current TTPs and IOCs in hand, an IR team can build and test playbooks against the actual behaviour of adversaries targeting their sector. Drills stop being theatre and start being useful.
Annex A 5.25 — Triage of Security Events
Analysts triaging alerts need context: is this activity consistent with a known actor, a known campaign, or just background noise? Structured threat-actor and malware profiles make that question answerable in seconds instead of minutes.
Annex A 8.8 — Management of Technical Vulnerabilities
A high CVSS score does not mean high risk. The 2022 control expects vulnerability management to factor in active exploitation. Mapping CVEs to threat actors and active campaigns converts a static CVSS dashboard into a prioritised, context-aware queue.
Annex A 6.8 — Event Reporting and Awareness
Staff need to know what to look for. Generic phishing posters do not help when the actual threat to your sector is business email compromise or supply-chain impersonation. Sector-aware threat briefings give awareness material that is concrete and current.
What an Auditor Will Actually Look For
In practice, a clean A 5.7 evidence pack has a few recognisable parts. There is a documented source list — feeds, OSINT sources, darknet sources, internal telemetry — with named owners. There is a collection plan that says which sources feed which audiences and how often. There are dated outputs — reports, briefings, alerts — showing the intelligence in use. And there is a closure trail showing that an IOC, TTP, or actor finding actually changed something: a SIEM rule, a playbook, a risk register entry, a board briefing.
If you can show all four, A 5.7 is satisfied cleanly. If any one is missing, expect a finding.
Common Mistakes
- Treating A 5.7 as a tooling question — auditors want to see analysis and action, not a vendor logo
- Feeding threat data into the SIEM but never closing the loop with documented playbook updates
- Writing risk scenarios once a year and assuming they are still credible at the next audit
- Letting intelligence live in a different team from the controls it is supposed to inform
Next Steps
See how this fits into a wider programme in our guide to building a modern CTI programme, or read about the related regulatory requirements in our NIS2 and DORA primers.
Ready to get ISO 27001:2022 compliant? View Threat Landscape pricing or request evaluation access.